[OpenID] Another Client-side Password Phishing Mitigation Idea

Marcin Jagodziński marcin.jagodzinski at gmail.com
Sun Jan 21 22:12:30 UTC 2007

This kind of detection can be is very easily avoided in my opinion.

We need to send a clear message to OPs or RPs: "Please include this in
this way to make your form detectable by various browsers/plugins that
will apply additional layer of security", not: "there are some regular
expressions and some fuzzy logic, so there is high degree of
probability that your form will be treated as login form and protected
by Identity Manager". This should be boolean, not fuzzy. And also
should enable browser/plugin makers to compete in creating the best
security plugin. Identity Manager is one option. We let users to
choose their OP, so we should let them choose their security



07-01-21, Dmitry Shechtman <damnian at gmail.com> napisał(a):
> Marcin,
> I assume you are talking about an "identity manager plugin". Actually, I
> envision it as core browser functionality.
> I don't quite understand what you mean by "plugin will not start". My
> suggestion includes RP detection as explained in the reply to your comment
> to my post.
> Regards,
> Dmitry
> =damnian

More information about the general mailing list